Migrating data to a new encrypted volume

The method to integrate unencrypted data into the infrastructure for protected volume encryption described in this topic works in an environment without using LVM.

Before you begin

You require a free volume that has sufficient space. Ensure that this volume is persistently configured to your Linux™ instance.

Procedure

  1. Create a new encrypted volume using the free volume.
    Ensure that the newly encrypted volume is formatted with a file system. For this purpose, complete steps 1 through 9 from Creating a volume for pervasive encryption. If you do not want to use LVM, adapt the steps accordingly.
  2. Mount the file system on the newly encrypted volume on a temporary mount point.
    For example:
    # mount /dev/mapper/new-enc-disk /mnt
  3. Copy the contents (meaning files and directories) from the unencrypted volume to the newly created file system.
    For example, to copy all data from /path/to-be-encrypted/data/ to the file system on the encrypted volume that is mounted on /mnt/, issue:
    # rsync -av /path/to-be-encrypted/data/ /mnt/
  4. Replace the /etc/fstab entry of the existing unencrypted volume with the device-mapper device of the encrypted volume.
    If the encrypted volume is required at startup time, ensure that an appropriate entry in /etc/crypttab exists. You have already created this entry in step 6 or 7 in Creating a volume for pervasive encryption.

Results

The data is now on an encrypted volume in the infrastructure for protected volume encryption.

What to do next

You should now securely delete the unencrypted data according to your security policies from /path/to-be-encrypted/data/.